Skip to content

feat(auth): add BFF Token Handler auth routes (Phase 3)#215

Merged
philmerrell merged 4 commits into
developfrom
feature/bff-phase-3-auth-routes
May 2, 2026
Merged

feat(auth): add BFF Token Handler auth routes (Phase 3)#215
philmerrell merged 4 commits into
developfrom
feature/bff-phase-3-auth-routes

Conversation

@philmerrell

Copy link
Copy Markdown
Contributor

Summary

Phase 3 of the BFF Token Handler migration. Adds the four browser-facing auth routes that the SPA will adopt at cutover (Phase 6), all dormant today since no SPA caller exists yet.

  • GET /auth/login — initiates Cognito OAuth code flow with PKCE state, redirects to Hosted UI.
  • GET /auth/callback — exchanges authorization code, persists a session row, writes sealed __Host-bff_session + __Host-bff_csrf cookies, redirects to the SPA.
  • GET /auth/session — returns the current user + CSRF token; the SPA calls this on bootstrap to confirm "am I logged in?"
  • POST /auth/logout — drops the session row, clears both cookies. Returns 204 — no Cognito /logout redirect; SPA owns post-logout UX. CSRF-exempt via _EXEMPT_PATHS.

Also a small Phase 1.5 CDK addition: BFF_AUTH_CALLBACK_URL and BFF_POST_LOGIN_REDIRECT_URL env vars on the app-api task, mirroring the URLs Phase 1 already pinned into the BFF Cognito client's callbackUrls/logoutUrls.

Refactors that other phases lean on

  • SessionCache.get_default_cache() is now a process-wide singleton, so logout invalidates the same in-memory entry the refresh middleware seeds.
  • resolve_bff_client_secret() is a module-level cache shared by both the refresh path and the new token-exchange path — one Secrets Manager call per process.

Why dormant

Phase 3 ships the routes but no SPA code calls them yet. Phase 5 will add the frontend SessionService; Phase 6 is the per-environment cutover that finally makes these the user-facing auth flow. Hitting /auth/login end-to-end works today as long as Phase 1 env vars are set — useful for manual smoke testing.

Test plan

  • 19 new tests across tests/apis/app_api/auth/bff/{test_login,test_callback,test_session,test_logout}.py
  • Architecture import-boundary check still passes (tests/architecture/test_import_boundaries.py)
  • Total BFF-related test count: 65 + architecture
  • Manual smoke: hit /auth/login against a deployed BFF Cognito client, verify cookie redirect lands on the post-login URL

🤖 Generated with Claude Code

Wires GET /auth/login, GET /auth/callback, GET /auth/session, and
POST /auth/logout on app-api against the confidential Cognito BFF
client. Routes are dormant — no SPA consumer until Phase 5.

CDK: adds BFF_AUTH_CALLBACK_URL + BFF_POST_LOGIN_REDIRECT_URL to the
app-api task env, mirroring the URLs Phase 1 already registered with
the BFF Cognito client.

Refactors: SessionCache exposes a process-wide get_default_cache()
singleton so logout invalidates the same instance the refresh
middleware seeds; secret resolution lifted into
resolve_bff_client_secret() so refresh + token-exchange share one
cached secret per process.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Comment thread backend/src/apis/app_api/auth/bff/routes.py Fixed
Comment thread backend/src/apis/shared/sessions_bff/refresh.py Fixed
Comment thread backend/src/apis/shared/sessions_bff/refresh.py Dismissed
philmerrell and others added 3 commits May 2, 2026 10:51
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
The Phase 3 BFF callback is a public OAuth landing — Cognito redirects
the browser there with `?code=...&state=...`, no Bearer involved.
Without this entry the sweep tries to assert unauthenticated /auth/callback
returns 401, but the route returns 503 ("BFF auth flow is not configured")
in CI because BFF env vars aren't set there. Same treatment as the
existing `/oauth/callback`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@philmerrell philmerrell merged commit 73be72c into develop May 2, 2026
24 checks passed
@philmerrell philmerrell deleted the feature/bff-phase-3-auth-routes branch May 2, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants